AWS Security Blog
Category: Technical How-to
How to use the BatchGetSecretValue API to improve your client-side applications with AWS Secrets Manager
Jun 18, 2024: This post has been updated to revise the example IAM policies. AWS Secrets Manager is a service that helps you manage, retrieve, and rotate database credentials, application credentials, OAuth tokens, API keys, and other secrets throughout their lifecycles. You can use Secrets Manager to help remove hard-coded credentials in application source code. […]
How to use the PassRole permission with IAM roles
iam:PassRole is an AWS Identity and Access Management (IAM) permission that allows an IAM principal to delegate or pass permissions to an AWS service by configuring a resource such as an Amazon Elastic Compute Cloud (Amazon EC2) instance or AWS Lambda function with an IAM role. The service then uses that role to interact with […]
How to use multiple instances of AWS IAM Identity Center
February 29, 2024: This post has been updated to include the account instances opt-in feature supported for member accounts in AWS Organizations. November 28, 2023: This blog has been updated to include Identity Center instances deployment patterns. November 22, 2023: We updated the information about account instances of Identity Center availability. Recently, AWS launched a […]
Establishing a data perimeter on AWS: Require services to be created only within expected networks
Welcome to the fifth post in the Establishing a data perimeter on AWS series. Throughout this series, we’ve discussed how a set of preventative guardrails can create an always-on boundary to help ensure that your trusted identities are accessing your trusted resources over expected networks. In a previous post, we emphasized the importance of preventing […]
Download AWS Security Hub CSV report
AWS Security Hub provides a comprehensive view of your security posture in Amazon Web Services (AWS) and helps you check your environment against security standards and best practices. In this post, I show you a solution to export Security Hub findings to a .csv file weekly and send an email notification to download the file from Amazon Simple […]
Implement an early feedback loop with AWS developer tools to shift security left
February 7, 2024: This post has been updated to reflect the the CloudFormation changes for AWS Cloud9 instances requiring an ImageId for deployment as of December 4th 2023. Refer to the AWS Cloud9 documentation for further details. Early-feedback loops exist to provide developers with ongoing feedback through automated checks. This enables developers to take early […]
Automate and enhance your code security with AI-powered services
Organizations are increasingly embracing a shift-left approach when it comes to security, actively integrating security considerations into their software development lifecycle (SDLC). This shift aligns seamlessly with modern software development practices such as DevSecOps and continuous integration and continuous deployment (CI/CD), making it a vital strategy in today’s rapidly evolving software development landscape. At its […]
Building sensitive data remediation workflows in multi-account AWS environments
The rapid growth of data has empowered organizations to develop better products, more personalized services, and deliver transformational outcomes for their customers. As organizations use Amazon Web Services (AWS) to modernize their data capabilities, they can sometimes find themselves with data spread across several AWS accounts, each aligned to distinct use cases and business units. […]
Writing IAM Policies: Grant Access to User-Specific Folders in an Amazon S3 Bucket
Mar 25, 2024: We have fixed the JSON code examples which caused errors by replacing the curly quotes with straight quotes. November 14, 2023: We’ve updated this post to use IAM Identity Center and follow updated IAM best practices. In this post, we discuss the concept of folders in Amazon Simple Storage Service (Amazon S3) […]
Use private key JWT authentication between Amazon Cognito user pools and an OIDC IdP
With Amazon Cognito user pools, you can add user sign-up and sign-in features and control access to your web and mobile applications. You can enable your users who already have accounts with other identity providers (IdPs) to skip the sign-up step and sign in to your application by using an existing account through SAML 2.0 […]